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(57) It is an object of the present invention to provide 
a method and an apparatus for generating a safe normal 
form elliptic curve transformable to a Montgomery type 
elliptic curve as well as to provide an elliptic curve cryp- 
tosystem and a storage medium therefor. 

To achieve the above object, conditions concerning 



a curve order are extracted from criteria for transforma- 
bility of a normal form elliptic curve to a Montgomery 
type elliptic curve and are given in a curve parameter 
generator incorporating a transformability judgement 
unit. Furthermore, to generate a curve having a cof actor 
of 4, the condition whether a curve order is divisible by 
8 is given. 
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Description 

Technical Field 

[0001] The present invention relates to a security 
technique for computer networks, and more particularly 
to a method for generating an elliptic curve used espe- 
cially for elliptic curve cryptography, an elliptic curve ap- 
paratus, an elliptic curve cryptosystem, and a storage 
medium storing said method. 

Background Art 

[0002] As an elliptic curve for elliptic curve cryptogra- 
phy, a normal form elliptic curve y 2 = f (x) may be used, 
where f(x) = x 3 + ax + b (a,b E F p ) where F p is a finite 
field composed of p elements and p is a large prime 
number. Each set (x 0 ,y 0 ), where x 0 ,y 0 G F p) satisfying 
the equation y 0 2 = f(x 0 ) is called a point on the curve. 
Operation can be performed in the set of all of these 
points plus a point at infinity, and the number of the 
points is called a curve order. When a curve order is de- 
noted by n and expressed as n = cl where c is a positive 
integer, called a cofactor, and I is a large prime number, 
the elliptic curve is called safe if the value of c is small. 
In a method for generating a safe normal form elliptic 
curve, described in ANSI X9.62, "Public Key Cryptogra- 
phy for the Financial Services Industry: The Elliptic 
Curve Digital Signature Algorithm (ECDSA)", 1999, a 
normal form elliptic curve is repeatedly generated at ran- 
dom, and its safety is evaluated based on its curve order 
until a safe normal form elliptic curve is obtained. 
[0003] Furthermore, according to "P.L Montgomery, 
Speeding the Pollard and Elliptic Curve Methods of Fac- 
torization, Math. Comp. 48 (1987) 243-264", by using 
the Montgomery type elliptic curve BY 2 = X 3 + AX 2 + X 
(A,B G F p ), operation can be performed at higher speed 
than by use of a normal form elliptic curve. A normal 
form elliptic curve can be transformed to a Montgomery 
type elliptic curve when a point on the normal form el- 
liptic curve corresponds to a point on the Montgomery 
type elliptic curve, one to one, and operation on one 
point coincides with operation on the other. Not all of 
normal form elliptic curves can be transformed to Mont- 
gomery type elliptic curves. Requirements for a normal 
form elliptic curve to be transformable to a Montgomery 
type elliptic curve are described in a paper entitled "Cal- 
culation Method for Elliptic Curve Cryptographic Oper- 
ation" by Tetsuya Izu (1999 Symposium on Cryptogra- 
phy and Information Security, Publication vol. 1, 1999, 
275-280). The above paper also discloses that the curve 
order of each Montgomery type elliptic curve is always 
divisible by 4. 

[0004] However, the above conventional technique 
has given no consideration to generation of a normal 
form elliptic curve transformable to a Montgomery type 
elliptic curve. Therefore, to generate a safe normal form 
ellipticcurve transformable to a Montgomery type elliptic 



curve, it is necessary to generate a safe normal form 
elliptic curve and then determine whether it is transform- 
able to a Montgomery type elliptic curve, and if not, a 
safe normal form elliptic curve is generated again and 

5 the above procedure must be repeated until a safe nor- 
mal form elliptic curve transformable to a Montgomery 
type elliptic curve is found. Generally, a process for gen- 
erating a safe normal form elliptic curve takes longer 
time than a process for determining whether it can be 

10 transformed to a Montgomery type elliptic curve. Be- 
cause of this, generation of an elliptic curve having the 
above properties requires a large amount of time, mak- 
ing it difficult to regularly replace an elliptic curve with a 
new elliptic curve having the above properties in elliptic 

15 curve cryptography to ensure network security. Inciden- 
tally, to ensure security against an attack using the Ba- 
by-Step-Giant-Step method in which precalculation for 
the attack can be performed by knowing only the respec- 
tive elliptic curve without knowing the public key, the el- 

20 Nptic curve must be regularly replaced with a new one, 
and no other effective methods exist. This means that 
in the above conventional technique, a specific elliptic 
curve is easily attacked. 

[0005] It is an object of the present invention to pro- 
25 vide a method, an apparatus, an elliptic curve crypto- 
system, and a storage medium for generating an elliptic 
curve to improve operation speed and security. 

Disclosure of Invention 

30 

[0006] To achieve the above object, the present in- 
vention provides a method for generating an elliptic 
curve, comprising the steps of: generating a first elliptic 
curve, for example, y 2 = x 3 + ax + b; determining whether 
35 said first elliptic curve can be transformed to a second 
elliptic curve, for example, BY 2 = X 3 + AX 2 + X; and de- 
termining safety of the first elliptic curve transformable 
to said second elliptic curve. Here, as the first elliptic 
curve, an elliptic curve defined over a field of a prede- 
40 termined prime order may be used. Further, said step of 
determining whethersaid first ellipticcurve can betrans- 
formed to said second elliptic curve includes steps of: 
determining whether there is a for which f(a) = 0 for said 
first elliptic curve y 2 = f(x) = x 3 + ax + b; and determining 
45 whether f'(a) has a square root for a for which f(a) = 0. 
Further, said step of determining the safety of said first 
ellipticcurve includes steps of: extracting information on 
a curve order of said first elliptic curve; and judging a 
cofactor based on the information on said curve order. 
50 The present invention-further provides a method for 
generating an elliptic curve, comprising the steps of: 
generating a first elliptic curve y 2 = x 3 + ax + b; gener- 
ating a second elliptic curve y 2 = x 3 + ar 2 x + br 3 ; deter- 
mining whether said first elliptic curve can be trans- 
55 formed to a third elliptic curve BY 2 = X 3 + AX 2 + X; and 
when said first elliptic curve can be transformed to said 
third elliptic curve, judging safety of said first elliptic 
curve and said second elliptic curve. The present inven- 
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tion provides a method for generating an elliptic curve 
defined over a prime field in elliptic curve cryptography, 
comprising the steps of: randomly generating a normal 
form elliptic curve y 2 = x 3 + ax + b; determining whether 
said generated normal form elliptic curve y 2 = x 3 -i- ax + 5 
b can be transformed to a Montgomery type elliptic 
curve BY 2 = X 3 + AX 2 + X; determining divisibility of a 
curve order of said elliptic curve by 8; collecting infor- 
mation on the curve order of said elliptic curve; and judg- 
ing a value of a cofactor based on the information on 10 
said curve order; wherein a normal form elliptic curve 
which can be transformed to a Montgomery type elliptic 
curve and whose cofactor is 4 is generated. The present 
invention provides an apparatus for generating an ellip- 
tic curve, comprising: elliptic curve candidate generating 15 
means for generating a first elliptic curve y 2 = x 3 + ax + 
b; transform ability judgement means for determining 
whether said first elliptic curve can be transformed to a 
second elliptic curve BY 2 = X 3 + AX 2 + X; safety judge- 
ment means for determining safety of the first elliptic 20 
curve transformable to said second elliptic curve. Here, 
said transform ability judgement means includes: root 
existence judgement means for determining whether 
there is a for which f(a) = 0 for said first elliptic curve; 
and square root judgement means for determining 25 
whether f'(a) has a square root for a for which f(a) = 0. 
Alternatively, said transformability judgement means in- 
cludes: root existence judgement means for determin- 
ing whether there is a for which f(a) = 0 for said first 
elliptic curve; and quadratic residue judgement means 30 
for determining whether f'(oc) is a quadratic residue for 
a for which f(a) = 0. The present invention provides an 
apparatus for generating an elliptic curve employed in 
a cryptosystem in which a first computer and a second 
computer carry out cryptocommunications with each 35 
other, wherein said apparatus receives a request for 
generation of an elliptic curve from each said computer 
and generates a normal form elliptic curve transforma- 
ble to a Montgomery type elliptic curve. The present in- 
vention provides a cryptosystem for carrying out cryp- 40 
tocommunications by use of elliptic curve cryptography, 
comprising: a first computer for receiving cryptocommu- 
nication; a second computerfortransmitting cryptocom- 
munication; and an elliptic curve generating apparatus 
for receiving a request for generation of an elliptic curve 45 
from said first computer and generating a normal form 
elliptic curve transformable to a Montgomery type elliptic 
curve. Further, said cryptosystem further comprises a 
curve replacement management apparatus for manag- 
ing whether it is necessary to replace an elliptic curve 50 
being used for cryptocommunications, wherein when it 
becomes necessary to replace said elliptic curve, the 
elliptic curve is replaced with an elliptic curve newly gen- 
erated by said elliptic curve generating apparatus to car- 
ry out cryptocommunications. It should be noted that to 55 
achieve the above object, a storage medium may be 
used to store programs implementing functions per- 
formed by the methods, apparatuses, and systems de- 



scribed above. 

Brief Description of Drawings 

[0007] 

Fig. 1 is a diagram showing a flow of processes per- 
formed in a method and an apparatus for generating 
an elliptic curve in a curve parameter generation 
server in an elliptic curve cryptosystem according 
to a first embodiment of the present invention. Fig. 
2 is a flowchart showing a method for generating a 
safe normal form elliptic curve transformable to a 
Montgomery type elliptic curve, this method being 
included in a method and an apparatus for gener- 
ating an elliptic curve according to the first embod- 
iment of the present invention. Fig. 3 is a flowchart 
showing a method for determining whether a normal 
form elliptic curve can be transformed to a Mont- 
gomery type elliptic curve, this method being includ- 
ed in a transformability judgement unit in a method 
and an apparatus for generating an elliptic curve ac- 
cording to the present invention. Fig. 4 is a flowchart 
showing a method for generating a safe normal 
form elliptic curve transformable to a Montgomery 
type elliptic curve, this method being included in a 
method and an apparatus for generating an elliptic 
curve according to applications of the first and the 
second embodiments of the present invention. Fig. 
5 is a diagram showing a flow of processes per- 
formed in a method and an apparatus for generating 
an elliptic curve in a curve parameter generation 
server in an elliptic curve cryptosystem according 
to the second embodiment of the present invention. 
Fig. 6 is a flowchart showing a method for generat- 
ing a normal form elliptic curve whose cofactor is 4 
and which can be transformed to a Montgomery 
type elliptic curve, this method being included in a 
method and an apparatus for generating an elliptic 
curve according to the second embodiment of the 
present invention. Fig. 7 is a flowchart showing a 
method for determining whether the curve order of 
a normal form elliptic curve transformable to a Mont- 
gomery type elliptic curve can be divided by 8, this 
method being provided in a parameter generator of 
elliptic curve according to the second embodiment 
of the present invention. The flowchart particularly 
shows determination of the divisibility when the 
characteristic prime of the definition field is congru- 
ent to 1 modulo 4. Fig. 8 is a flowchart showing a 
method for determining whether the curve order of 
a normal form elliptic curve transformable to a Mont- 
gomery type elliptic curve can be divided by 8, this 
method being provided in a parameter generator of 
elliptic curve according to the second embodiment 
of the present invention. The flowchart particularly 
shows determination of the divisibility when the 
characteristic prime of the definition field is congru- 
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ent to 3 modulo 4. Fig. 9 is a table listing conditions 
for divisibility by 8 according to the second embod- 
iment of the present invention. Fig. 1 0 is a diagram 
showing a flow of processes performed in a method 
and an apparatus for generating an elliptic curve in 5 
a curve parameter generation server in an elliptic 
curve cryptosystem according to a third embodi- 
ment of the present invention. Fig. 11 is a flowchart 
showing a method for generating a normal form el- 
liptic curve whose cofactor is 4 and which can be 10 
transformed to a Montgomery type elliptic curve, 
this method being included in a method and an ap- 
paratus for generating an elliptic curve according to 
the third embodiment of the present invention. Fig. 
12 is a flowchart showing a method for judging 15 
whether a normal form elliptic curve is suitable ac- 
cording to the third embodiment of the present in- 
vention. The flowchart particularly shows determi- 
nation of the suitability when the characteristic 
prime of the definition field is congruent to 1 modulo 20 
4. Fig. 13 is a flowchart showing a method for judg- 
ing whether a normal form elliptic curve is suitable 
according to the third embodiment of the present 
invention. The flowchart particularly shows determi- 
nation of the suitability when the characteristic 25 
prime of the definition field is congruent to 3 modulo 
4. Fig. 14 is a configurational diagram of an elliptic 
curve cryptosystem according to the present inven- 
tion. Fig. 15 is a flowchart showing a method for 
generating a curve in an elliptic curve cryptosystem 30 
according to a fourth embodiment of the present in- 
vention. Fig. 16 is a configurational diagram of an 
elliptic curve cryptosystem according to a fifth em- 
bodiment of the present invention. Fig. 1 7 is a flow- 
chart showing a method for generating a curve in 35 
an elliptic curve cryptosystem according to the fifth 
embodiment of the present invention. Fig. 18 is a 
configurational diagram of an elliptic curve crypto- 
system according to a sixth embodiment of the 
present invention. Fig. 19 is a flowchart showing a 40 
method for generating a curve in an elliptic curve 
cryptosystem according to the sixth embodiment of 
the present invention. Fig. 20 is a configurational 
diagram of an elliptic curve cryptosystem according 
to a seventh embodiment of the present invention. 45 
Fig. 21 is a flowchart showing a method for gener- 
ating a curve in an elliptic curve cryptosystem ac- 
cording to the seventh embodiment of the present 
invention. Fig. 22 is a diagram showing a flow of 
processes in a method and an apparatus forjudging 50 
transform ability of a normal form elliptic curve to a 
Montgomery type elliptic curve in a parameter gen- 
erator of elliptic curve. Fig. 23 is a diagram showing 
a flow of processes in which a normal form elliptic 
curve is transformed to a Montgomery type elliptic 55 
curve in a curve parameter transformer in an elliptic 
curve cryptosystem according to the present inven- 
tion. Fig. 24 is a flowchart showing a method for 



transforming curve parameters. Fig. 25 is a diagram 
showing a flow of processes in a method and an 
apparatus forjudging transformability of a normal 
form elliptic curve to a Montgomery type elliptic 
curve in a parameter generator of elliptic curve ac- 
cording to the present invention. Fig. 26 is a flow- 
chart showing a method forjudging transformability 
of a normal form elliptic curve to a Montgomery type 
elliptic curve. Fig. 27 shows a data structure accord- 
ing to embodiments of the present invention. Fig. 
28 is a diagram showing an embodiment of a curve 
permutation management apparatus. Fig. 29 is a 
sequence chart showing a flow of processes for 
curve parameter permutation in an elliptic curve 
cryptosystem in which a curve permutation man- 
agement apparatus is incorporated in a public key 
server. 

Best Mode for Carrying Out the Invention 

[0008] An embodiment according to the present in- 
vention will be described below with reference to the ac- 
companying drawings. Fig. 14 is a configurational dia- 
gram of an elliptic curve cryptosystem according to the 
present invention. 

[0009] First, description will be made of a parameter 
generator of elliptic curve in a curve parameter genera- 
tion server constituting an elliptic curve cryptosystem, 
with reference to Figs. 1 and 2. Fig. 1 is a diagram show- 
ing a method for generating a safe normal form elliptic 
curve transformable to a Montgomery type elliptic curve 
in a curve parameter generation server in an elliptic 
curve cryptosystem according to a first embodiment. 
Fig. 2 is a flowchart showing a method for generating 
curve parameters for a normal form elliptic curve in a 
parameter generator of elliptic curve 101 according to 
the first embodiment. 

[0010] The parameter generator of elliptic curve 101 
receives definition field information 103 and outputs 
curve parameters 108 using the following procedure. 
Here, as the definition field information 103, either def- 
inition field information 2701, which includes the bit 
length of the definition field, or definition field information 
2704, which includes the characteristic prime of the def- 
inition field, is given as shown in Fig. 27. At step 201 , a 
generation unit of normal form elliptic curve candidates 
104 randomly generates a normal form elliptic curve 
based on the definition field information 1 03. A method 
for randomly generating a normal form elliptic curve is 
described in ANSI X9.62, "Public Key Cryptography for 
the Financial Services Industry: The Elliptic Curve Dig- 
ital Signature Algorithm (ECDSA)", 1999. At step 202, 
a transformability judgement unit 102 determines 
whether a normal form elliptic curve generated in the 
generation unit of normal form elliptic curve candidates 
104 can be transformed to a Montgomery type elliptic 
curve. If it cannot be transformed to a Montgomery type 
elliptic curve, the generation unit of normal form elliptic 
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curve candidates 104 generates a normal form elliptic 
curve again and the same process is repeated until a 
normal form elliptic curve transformable to a Mont- 
gomery type elliptic curve is found. At step 204, a col- 
lection unit of curve order information 107 collects infor- 
mation on the curve order of a normal form elliptic curve 
which has been determined to be transformable to a 
Montgomery type elliptic curve by the transform ability 
judgement unit 1 02. A curve order determination meth- 
od in which information on the curve order of a given 
elliptic curve is collected to determine the curve order is 
described in "Elliptic curves over finite fields and the 
computation of square roots mod p", by R. Schoof, Math, 
Comp. 44 ; 1985, 483-494. A cofactor judgement unit 
106 determines whether the cofactor is smaller than a 
value predetermined based on safety conditions using 
the information on the curve order obtained from the col- 
lection unit of curve order information 1 07, at step 205, 
and if the cofactor is larger than the value, the genera- 
tion unit of normal form elliptic curve candidates 104 
generates a normal form elliptic curve again. Then, by 
followingthe above procedure again, the cofactor judge- 
ment unit 1 06 determines whetherthe cofactor is small- 
er than the value using information on the curve order 
of a normal form elliptic curve transformable to a Mont- 
gomery type elliptic curve. The same procedure is re- 
peated until it is determined that a cofactor is smaller 
than the value predetermined based on safety condi- 
tions. If a cofactor is smaller, the cofactor judgement unit 
1 06 outputs a safe normal form elliptic curve which has 
been generated using the above procedure and which 
can be transformed to a Montgomery type elliptic curve, 
as curve parameters, at step 206. 
[0011] The transformability judgement unit 102 judg- 
es whether a normal form elliptic curve can be trans- 
formed to a Montgomery type elliptic curve using the fol- 
lowing procedure. A transformability judgement exam- 
ple will be described with reference to the flowchart in 
Fig. 3. To determine the existence of a solution, the 
transformability judgement unit 102 checks whether 
there is any element a of F p for which f(a) = 0 for the 
normal form elliptic curve y 2 = f(x) = x 3 + ax + b, at step 
301 . If there is no such element a, the transformability 
judgement unit 102 outputs the indication "not trans- 
formable" at step 304 and the process ends. If there is 
such an element a, the transformability judgement unit 
1 02 judges whether there is an element a for wh ich f '(a) 
is a quadratic residue in F p where f(a) = 0 in quadratic 
residue determination at step 302. If there is such an 
element a, the transformability judgement unit 1 02 out- 
puts the indication "transformable" at step 303 and the 
process ends. If there is no such element a, the trans- 
formability judgement unit 102 outputs the indication 
"not transformable" at step 304 and the process ends. 
Here, a residue modulo p (a prime) is called a quadratic 
residue when there is a square root, while it is called 
quadratic non-residue when there is no square root. 
[0012] The basis of the possible formation of a judg- 



ment on transformability according to the procedure de- 
scribed above is explained as follows. In a Montgomery 
elliptic curve, there is a point (0,0), which becomes a 
point at infinity by a 2-time operation. In general, how- 

5 ever, in a normal form elliptic curve, such a point does 
not always exist. In order for a normal form elliptic curve 
to be transformable to a Montgomery elliptic curve, the 
existence of a point that becomes a point at infinity by 
a 2-time operation on the normal form elliptic curve is 

10 required. Generally speaking, a point that does not be- 
come a point at infinity till an m-time operation is carried 
out is referred to as an m-order point. A point (a, 0) 
where a satisfies f (a) = 0 is a 2-order point. If a normal 
form elliptic curve is transformable to a Montgomery el- 

15 liptic curve, a 2-order point that exists on the normal form 
elliptic curve and becomes the point at infinity (0, 0) after 
transformation is required. Assume that a point (a, 0) is 
such a point. In this case, transformation of a point on 
a normal form elliptic curve to a point on a Montgomery 

20 elliptic curve must be expressed as X = s (x - a), Y = ty 
(s^0, te0)for s,teF p . Since (X, Y) is a point on the Mont- 
gomery elliptic curve, X and Y satisfy the equation BY 2 
= X 3 + AX 2 + X. Substituting s (x - a) and ty for X and Y 
respectively in the equation BY 2 = X 3 + AX 2 + X results 

25 in an equation of Bt 2 y 2 = s 3 (x - a) 3 + As 2 (x - a) 2 + s (x 
- a). On the other hand, since (x, y) is a point on the 
normal form elliptic curve, x and y satisfy the function y 2 
= f (x). Substituting f (x) for y 2 of the equation Bt 2 y 2 = s 3 
(x - a) 3 + As 2 (x - a) 2 + s (x - a) results in an equation 

30 of Bt 2 f (x) = s 3 (x - a) 3 + As 2 (x - a) 2 + s (x - a). By 
comparing the term x 3 , Bt 2 = s 3 is obtained. Substituting 
this in the above equation results in an equation of s 2 f 
(x) = s 2 (x - a) 3 + As (x - a) 2 + (x - a) as s^0 hold true. 
Let the equation s 2 f (x) = s 2 (x - a) 3 + As (x - a) 2 + (x - 

35 a) be differentiated with respect to x, and substitute a 
for x in the resultant equation to get the equation s 2 f 
(a) = 1 . Since s is an element of Fp, f (a) must be a 
quadratic residue. In addition, at that time, A= 3 as and 
B = s 3 /t 2 hold true. Conversely speaking, if f (a) is a 

40 quadratic residue, by setting s = t = f'(a)" 1/2 , A = 3 a s. 
and B = s, the normal form elliptic curve can be trans- 
formed to a Montgomery elliptic curve represented by 
the equation BY 2 = X 3 + AX 2 + X. 
[0013] The above description indicates that the judg- 
es ment on transformability can be formed in accordance 
with the procedure described abovesincethe procedu re 
is based on the following requirement. That is to say, the 
fact that a 2-order point on an normal form elliptic curve 
can become a 2-order point on an Montgomery elliptic 

50 curve and vice versa is required as a necessary condi- 
tion for transformability. 

[0014] In addition, the fact that the curve order of a 
Montgomery elliptic curve can be divided by 4 can be 
understood as follows. The point (0,0) on a Montgomery 
55 elliptic curve is a 2-order point. If a discriminant (A 2 - 4) 
of the expression X 2 + AX + 1 is a quadratic residue, the 
equation X 2 + AX + 1 =0 has roots in F p . Thus, since 
there are two 2-order points other than the point (0, 0), 
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the curve order of a Montgomery elliptic curve can be 
divided by 4. If the discriminant (A 2 - 4) is a quadratic 
non-residue, on the other hand, only one of expressions 
(A + 2) and (A - 2) is a quadratic residue while the other 
is a quadratic non-residue. Thus, one of the expressions 
(A + 2)/B and (A - 2)/B is a quadratic residue. If the ex- 
pression (A + 2)/B is a quadratic residue, coordinates 
(1 , ± y) each represent a 4-order point where the symbol 
Y denotes a square root for the quadratic residue. If the 
expression (A -2)/B is a quadratic residue, on the other 
hand, coordinates (-1, ± y) each represent a 4-order 
point where the symbol y l denotes a square root for the 
quadratic residue. Thus, the curve order can be divided 
by 4 in either case. 

[0015] Operation speed on an elliptic curve depends 
on a definition field size. The operation speed decreases 
as the definition field size increases. The safety of an 
elliptic curve depends on the size of the maximum prime 
number included in its curve order. The larger the prime 
number, the safer the elliptic curve. With the size of a 
definition field fixed, the cofactor must be reduced to en- 
hance safety. Since the curve order of a Montgomery 
type elliptic curve can be divided by 4, its cofactor is 4 
or more. To enhance safety to a maximum with the size 
of a definition field fixed, the cofactor must be set to be 4. 
[0016] It should be noted that other transform ability 
criteria can be used instead of use of the curve order. 
One of such methods is described on page 278 of the 
document "Calculation Method for Elliptic Curve Cryp- 
tographic Operation" (1999 Symposium on Cryptogra- 
phy and Information Security, Publication vol. 1, 1999, 
275-280). 

[001 7] Next, description will be made of an application 
of the method of the first embodiment for generating a 
safe normal form elliptic curve transformable to a Mont- 
gomery type elliptic curve in a curve parameter gener- 
ation server 1401 in an elliptic curve cryptosystem 
shown in Fig. 14 with reference to Figs. 1 and 4. Fig. 4 
is a flowchart showing a method for generating curve 
parameters of a normal form elliptic curve in the param- 
eter generator of elliptic curve 1 01 . 
[0018] The parameter generator of elliptic curve 1 01 
receives definition field information 103 and outputs 
curve parameters 108 using the following procedure. 
Here, as the definition field information 103, either def- 
inition field information 2701, which includes the bit 
length of the definition field, or definition field information 
2704, which includes the characteristic prime of the def- 
inition field, is given as shown in Fig. 27. At step 401 , 
the generation unit of normal form elliptic curve candi- 
dates 104 randomly generates a normal form elliptic 
curve based on the definition field information 1 03. The 
normal form elliptic curve y 2 = f r (x) = x 3 + ar 2 x + br 3 is 
called the twist of the normal form elliptic curve y 2 = f(x) 
= x 3 + ax + b, where an element r is a quadratic non- 
residue in F p . To discriminate from the twist, the normal 
form elliptic curve y 2 = x 3 + ax + b is explicitly called 
"original". At step 402, the transformability judgement 



unit 1 02 determines whether a normal form elliptic curve 
and its twist normal form elliptic curve both generated 
in the generation unit of normal form elliptic curve can- 
didates 1 04 can be transformed to Montgomery type el- 
5 liptic curves. If the original normal form elliptic curve can 
be transformed to a Montgomery type elliptic curve, so 
can its twist normal form elliptic curve. When both 
curves are not transformable, the generation unit of nor- 
mal form elliptic curve candidates 1 04 generates a nor- 
mal form elliptic curve again and the above process is 
repeated until a normal form elliptic curve transformable 
to a Montgomery type ellipticcurve is found. At step 403, 
the collection unit of curve order information 1 07 collects 
information on the curve orders of original and twist nor- 
mal form elliptic curves which have been determined to 
be transformable to Montgomery type elliptic curves by 
the transformability judgement unit 102. The cofactor 
judgement unit 106 determines whether each cofactor 
is smaller than a value predetermined based on safety 
conditions using information on the curve orders of the 
original and the twist obtained by the collection unit of 
curve order information 1 07, at step 404, and if both co- 
factors are larger than the value, the generation unit of 
normal form elliptic curve candidates 104 generates a 
normal form elliptic curve again. Then, by following the 
above procedure again, the cofactor judgement unit 1 06 
determines whether each cofactor is smaller than the 
value using information on the curve orders of the nor- 
mal form elliptic curves transformable to Montgomery 
type elliptic curves. The same procedure is repeated un- 
til it is determined that one of the cofactors is smaller 
than the value predetermined based on safety condi- 
tions. If one of the cofactors is smaller, the cofactor 
judgement unit 1 06 outputs the safe normal form elliptic 
curve which has been generated using the above pro- 
cedure and which can be transformed to a Montgomery 
type elliptic curve, as curve parameters, at step 405. In 
the above application, since transformability of both an 
original and its twist normal form elliptic curves to Mont- 
gomery type elliptic curves are determined together at 
once, it is possible to increase the number of normal 
form elliptic curve candidates subjected to stability 
judgement, resulting in curve generation at higher 
speed. 

[0019] When an original normal form ellipticcurve can 
be transformed to a Montgomery type elliptic curve, its 
twist normal form elliptic curve also can be transformed 
to a Montgomery type elliptic curve based on the follow- 
ing reason. Since an original normal form ellipticcurve 
can be transformed to a Montgomery type elliptic curve, 
f(cc) = 0 and there is a for which f'(a) is a quadratic res- 
idue. At that time, since f r (r a) = 0 and f r '(r a) = r 2 f'(a) : 
f r '(r a) is a quadratic residue. Therefore, the twist normal 
form elliptic curve also can be transformed to a Mont- 
gomery type elliptic curve. Similarly since an original 
normal form elliptic curve is the twist of its twist normal 
form elliptic curve, if a twist normal form elliptic curve 
can be transformed to a Montgomery type elliptic curve, 
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its original normal form elliptic curve also can be trans- 
formed to a Montgomery type elliptic curve. When the 
original normal form elliptic curve y 2 = x 3 -i- ax -i- b is 
transformed to the Montgomery type elliptic curve BY 2 
= X 3 + AX 2 ■+- X, the twist normal form elliptic curve y 2 = 
x 3 + ar 2 x + br 3 is transformed to the Montgomery type 
elliptic curve (B/r)Y 2 = X 3 + AX 2 + X. 
[0020] Fig. 5 is a diagram showing a method for gen- 
erating a normal form elliptic curve whose curve order 
is 4 x a prime number, that is, whose cofactor is 4 and 
which can be transformed to a Montgomery type elliptic 
curve in a curve parameter generation server in an el- 
liptic curve cryptosystem according to the second em- 
bodiment of the present invention. Fig. 6 is a flowchart 
showing a method for generating the curve parameters 
of a normal form elliptic curve whose cofactor is 4 and 
which can be transformed to a Montgomery type elliptic 
curve in a parameter generator of elliptic curve 501 ac- 
cording to the second embodiment. As described 
above, when a normal form elliptic curve can be trans- 
formed to a Montgomery type elliptic curve, its curve or- 
der is a multiple of 4. However, to attain high safety, a 
curve order of (4 x a prime number) is preferably se- 
lected from among possible curve order values. 
[0021] A parameter generator of elliptic curve 501 re- 
ceives definition field information 503 and outputs curve 
parameters 508 using the following procedure. Here, as 
the definition field information 503, either definition field 
information 2701, which includes the bit length of the 
definition field, or definition field information 2704, which 
includes the characteristic prime of the definition field, 
is given as shown in Fig. 27. At step 601 , a generation 
unit of normal form elliptic curve candidates 504 ran- 
domly generates a normal form elliptic curve based on 
the definition field information 503. At step 602, the 
transformability judgement unit 502 determines whether 
a normal form elliptic curve generated by the generation 
unit of normal form elliptic curve candidates can be 
transformed to a Montgomery type elliptic curve. If it 
cannot be transformed to a Montgomery type elliptic 
curve, the generation unit of normal form elliptic curve 
candidates 504 generates a normal form elliptic curve 
again and the same process is repeated until a normal 
form elliptic curve transformable to a Montgomery type 
elliptic curve is found. A judgement unit of divisibility by 
eight 505 determines whether the curve order of a nor- 
mal form elliptic curve which has been determined to be 
transformable to a Montgomery type elliptic curve by the 
transformability judgement unit 502 is divisible by 8, at 
step 603. When the curve order of the above elliptic 
curve is divisible by 8, the generation unit of normal form 
elliptic curve candidates 504 generates a normal form 
elliptic curve again and by following the above proce- 
dure again, the judgement unit of divisibility by eight 505 
determines whether the curve order of the normal form 
elliptic curve transformable to a Montgomery type elliptic 
curve is divisible by 8. The same procedure is repeated 
until it is determined that a curve order cannot be divided 



by 8. When a curve order cannot be divided by 8, a col- 
lection unit of curve order information 507 collects infor- 
mation on the curve order of the normal form elliptic 
curve which can be transformed to a Montgomery type 
5 elliptic curve and which cannot be divided by 8, at step 
604. At step 605, a cofactor judgement unit 506 deter- 
mines whetherthe cofactor is 4 based on the cu rve order 
information obtained from the collection unit of curve or- 
der information 507. If it is determined that the cofactor 
exceeds 4, the generation unit of normal form elliptic 
curve candidates 504 generates a normal form elliptic 
curve again. Then, by following the above procedure 
again, the cofactor judgement unit 506 determines 
whether the cofactor is 4 using information on the curve 
order of the normal form elliptic curve which can be 
transformed to a Montgomery type elliptic curve and 
whose curve order cannot be divided by 8. The same 
procedure is repeated until it is determined that the co- 
factor is 4. If the cofactor is 4, the cofactor judgement 
unit 506 outputs the normal form elliptic curve which has 
been generated using the above procedure and can be 
transformed to a Montgomery type elliptic curve and 
whose cofactor is 4, as curve parameters, at step 606. 
[0022] The judgement unit of divisibility by eight 505 
determines whether the curve order of a normal form 
elliptic curve transformable to a Montgomery type elliptic 
curve is divisible by 8 using the following procedure. 
Figs. 7 and 8 are flowcharts showing a method for de- 
termining divisibility by 8 according to the second em- 
bodiment. 

[0023] At step 701 , the process flow is separated into 
two branches depending on whetherthe characteristic 
prime of a definition field is 1 modulo 4 or 3 modulo 4. 
If the characteristic prime of the definition field is 1 mod- 
ulo 4, the process flow proceeds to step 702. If the char- 
acteristic prime of the definition field is 3 modulo 4, on 
the other hand, the process flow proceeds to step 801 . 
At step 702, the process flow is separated into two 
branches depending on the number of roots of the equa- 
tion f (x) = 0 in F p . If the number of roots is 1 , the process 
flow proceeds to step 704, while if the number of roots 
is 3, the process flow proceeds to step 703. At step 703, 
it is determined whether (A + 2)/B is a quadratic residue 
in Fp. If it is a quadratic residue, the curve order can be 
divided by 8 at step 705. If it is a quadratic non-residue, 
the curve order cannot be divided by 8 at step 706. At 
step 704, it is determined whether f (a) 1/2 is a quadratic 
residue in F p . If it is a quadratic non-residue, the curve 
order cannot be divided by 8 at step 706. If it is a quad- 
ratic residue, on the other hand, the curve order can be 
divided by 8 at step 705. Thus, it can be determined 
whether a curve order can be divided by 8 when the 
characteristic prime of the definition field is 1 modulo 4. 
When the characteristic prime of the definition field is 3 
modulo 4, the process flow is separated into two branch- 
es depending on the number of roots of the equation f 
(x) = 0 in F p at step 801 . If the number of roots is 1 , the 
flow proceeds to step 802. If the number of roots is 3 ; 
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the curve order can be divided by 8 at step 705. At step 
802, it is determined whether A + 2 is a quadratic residue 
in F p . If it is a quadratic non-residue, the curve order 
cannot be divided by 8 at step 706. If it is a quadratic 
residue, the curve order can be divided by 8 at step 705. 
Thus, it can be determined whether a curve order can 
be divided by 8 when the characteristic prime of the def- 
inition field is 3 modulo 4. 

[0024] The basis of the possible formation of a judg- 
ment on exact-divisibility-by-8 of the curve order of a 
normal form elliptic curve transformable to a Mont- 
gomery elliptic curve in accordance with the procedure 
described above is explained as follows. Let the equa- 
tion BY 2 = X 3 + AX 2 + X represent a Montgomery elliptic 
curve obtained as a result of transformation of a normal 
form elliptic curve. First of all, let the number of roots of 
f (x) = 0 in F p be 1 . In this case, the only 2-order point 
on the normal form elliptic curve is a point (a, 0). Since 
the x coordinate of a 2-order point on the Montgomery 
elliptic curve is a root of the equation X 3 + AX 2 4 X = 0 
in F p and the point (0, 0) on the Montgomery elliptic 
curve corresponds to the point (a, 0) on the normal curve 
elliptic curve, the equation X 2 + AX + 1 =0 does not 
have a root in F p . Thus, the determinant (A 2 - 4) is a 
quadratic non-residue in F p . If the expression (A + 2)/B 
is a quadratic residue, coordinates (1 , ± y) each repre- 
sents a 4-order point where the symbol y denotes a 
square root for the quadratic residue. If the expression 
(A -2)/B is a quadratic residue, on the other hand, coor- 
dinates (-1 , ± Y) each represents a 4-order point where 
the symbol Y denotes a square root for the quadratic 
residue. Since the determinant (A 2 - 4) is a quadratic 
non-residue, one of the expressions (A+ 2)/B and (A - 
2)/B must be a quadratic residue. Thus, a 4-order point 
always exists in this case. 

[0025] Assume that a point (u, v) on the Montgomery 
elliptic curve is a 2-time point of another point (w, z) on 
this curve. A tangential line passing through the point 
(w, z) is represented by an equation of Y = ((3w 2 -i- 2Aw 
+ 1)/2Bz) (X - w) + z. Since the tangential line crosses 
the curve at a point (u, -v) ; u and - v satisfy the equation 
Y = ((3w 2 + 2Aw + 1 )/2Bz) (X - w) + z. Thus, substituting 
u and -v respectively for X and Y in the equation Y = 
((3w 2 -i- 2Aw + 1)/2Bz) (X - w) + z, multiplying the ex- 
pressions on both the sides of the equal sign '=' of the 
result of the substitution with 2Bz and squaring the prod- 
ucts on both the sides obtained as results of the multi- 
plication produce an equation of 4Bv 2 Bz 2 = ((3w 2 -i- 2Aw 
+ 1) (u - w) + 2Bz 2 ) 2 . Since the points (w, z) and (u, -v) 
exist on the curve, equations Bz 2 = w 3 + Aw 2 + w and 
Bv 2 = u 3 + Au 2 + u hold true. Substituting (w 3 + Aw 2 + 
w) and (u 3 + Au 2 + u) respectively for Bz 2 and Bv 2 in the 
equation 4Bv 2 Bz 2 = ((3w 2 + 2Aw + 1) (u - w) + 2Bz 2 ) 2 
results in an equation of 4(w 3 + Aw 2 + w) (u 3 + Au 2 + u) 
= ((3w 2 + 2 Aw + 1 ) (u - w) + 2(w 3 4- Aw 2 + w)) 2 . Since 
the tangential line is tangential to the curve at the point 
(w, z) and, in addition, the value of w is different from 
that of u, division by (u - w) 2 is possible, resulting in an 



equation of (3w 2 +- 2Aw + 1 ) 2 - 4(w 3 + Aw 2 + w) (u + A 
+ 2w) = 0. The equation (3w 2 + 2Aw + 1) 2 - 4(w 3 4 Aw 2 
+ w) (u + A 4- 2w) = 0 is rearranged to give an equation 
of w as follows: w 4 - 4uw 3 - (4Au 4 2)w 2 - 4uw +1=0. 

5 Since w is not equal to 0, the expression can be divided 
by w 2 to result in an equation of (w 4 1/w) as follows: (w 
4 1/w) 2 - 4u(w 4- 1/w) - 4(Au 4- 1) = 0. Assume that w G 
F p . In this case, 1/w G F p and (w 4 1/w) G F p . In order 
for the above equation of (w 4- 1/w) to have a root in F p! 

10 the discriminant 4(u 2 4 Au 4 1 ) must be a quadratic res- 
idue. 

[0026] Let the symbol e denote one of the square roots 
of the equation u 2 + Au 4-1 = 0. In this case, the following 
equation holds true: (w + 1/w) = 2(u±e). In order for the 

15 equation (w + 1/w) = 2(u±e ) of w to have a root in F p . 
the discriminant ((u ± e ) 2 -1) must be a quadratic resi- 
due. Since an equation of ((u 4 e ) 2 -1) ((u - e ) 2 -1) = u 2 
(A 2 - 4) holds true and the expression (A 2 - 4) is a quad- 
ratic non-residue, only either an expression of ((u + e ) 2 

20 -1 ) or an expression of ((u - e ) 2 -1 ) is a quadratic residue. 
In this case, the following equation holds true: w = (u ± 
e) + V ( (u+ e ) 2 - 1). Let the symbol 5 denote (u + e). In 
this case, the following equation holds true: w 2 4- Aw 4 
1 = (2 5 4 A) (5 ±V (5 2 - 1)) and, hence, the following 

25 equation holds true: Bz 2 = (2 5 4- A) (5 ± V ( 5 2 - 1 ) 2 . In 
order for z to satisfy z G F p , an expression of (2 6 4 A)/ 
B must be a quadratic residue. Also in this case, since 
the equation (2(u 4 e ) 4 A) (2(u - e) 4 A) = A 2 - 4 holds 
true, only either an expression of (2(u + £) + A)/B or an 

30 expression of (2(u - e) 4 A)/B is a quadratic residue. If 
the same signs are used for both in an alternative con- 
dition for the quadratic residues, w, z G F p . If the above 
equation is rewritten into an equation of (u + e) 2 - 1 = u 
(2(u ± e) 4- A), the following equation holds true: ((u ± 

35 8 )2 . 1 ) ((2( U ± 8 ) 4 A)/B) = (u/B) (2(u ± e) + A) 2 . Thus if 
an expression of u/B is a quadratic residue, the same 
signs can be used for both in an alternative condition for 
the quadratic residues, implying that a point (w, z) be- 
coming a 2-time point (u, v) exists. To sum up, the above 

40 description indicates that, if expressions (u 2 + Au + 1) 
and u/B are both a quadratic residue, a point (w, z) be- 
coming a 2-time point (u, v) exists. 
[0027] x coordinates of 4-order points are ±1 . Thus, 
the existence of an 8-order point can be indicated by 

45 whether or not expressions A±2, B and -1 are quadratic 
residues. 

[0028] The value -1 is a quadratic residue if the char- 
acteristic prime of a definition field is 1 modulo 4. On the 
other hand, the value -1 is a quadratic non-residue if the 

50 characteristic prime of a definition field is 3 modulo 4. 
Whether an expression of A 2 - 4 is a quadratic residue 
or a quadratic non-residue is determined in dependence 
on whether the number of roots of f (x) = 0 is 1 or 3. The 
sum of the curve order of an original and the curve order 

55 of its twist is 2 (p + 1 ). Thus, in the case that the number 
of roots of f(x)=0 is 3, when the characteristic prime of 
a definition field is 1 modulo 4, if the curve order of an 
original can be divided by 8, the curve order of the twist 



8 



15 



EP 1 215 642 A1 



16 



cannot be divided by 8 and, if the curve order of an orig- 
inal cannot be divided by 8, on the contrary, the curve 
order of the twist can be divided by 8. When the char- 
acteristic prime of a definition field is 3 modulo 4, on the 
other hand, if the curve order of an original can be di- 
vided by 8, the curve order of its twist can also be divided 
by 8 and, if the curve order of an original cannot be di- 
vided by 8, on the contrary, the curve order of its twist 
cannot be divided by 8 as well. The above description 
can be summarized into a table shown in Fig. 9. After 
judgments are formed in accordance with the proce- 
dures represented by the flowcharts shown in Figs. 7 
and 8, a judgment on the exact-divisibility-by-8 of a 
curve order can be made in accordance with the table 
shown in Fig. 9. 

[0029] In the method of a judgment on the exact di- 
visibility by 8, the formation of a judgment as to whether 
or not an expression of A + 2 is a quadratic residue at 
the step 802 can be based on the outcome of a judgment 
as to whether or not an expression of A -2 is a quadratic 
residue. If the number of roots of the equation f (x) = 0 
is 1 , an expression of (A 2 - 4) is a quadratic non-residue. 
Thus, if the expression (A + 2) is a quadratic residue, 
the expression (A -2) is a quadratic non-residue and, if 
the expression (A + 2) is a quadratic non-residue, the 
expression (A -2) is a quadratic residue. In this way, the 
formation of a judgment as to whether or notthe expres- 
sion A + 2 is a quadratic residue at the step 703 can be 
based on the outcome of a judgment as to whether or 
not the expression A -2 is a quadratic residue. If the 
number of roots of the equation f (x) = 0 is 3, on the other 
hand, the expression (A 2 - 4) is a quadratic residue. 
Thus, if an expression of (A -i- 2)/B is a quadratic residue, 
an expression of (A -2)/B is also a quadratic residue and, 
if the expression (A + 2)/B is a quadratic non-residue, 
the expression (A -2)/B is also a quadratic non-residue. 
In this way, the formation of a judgment as to whether 
or not the expression (A + 2)/B is a quadratic residue at 
the step 703 can be based on the outcome of a judgment 
as to whether or not the expression (A - 2)/B is a quad- 
ratic residue. The formation of a judgment as to whether 
or not an expression of f (a) 1/2 is a quadratic residue at 
the step 704 can also be based on the outcome of a 
judgment as to whether or not B is a quadratic residue. 
This is because if the expression f (ce) 1/2 is a quadratic 
residue, B is also a quadratic residue and, if the expres- 
sion f (a) 1/2 is a quadratic non-residue, B is also a quad- 
ratic non-residue. 

[0030] In the second embodiment, an implementation 
with a cofactor of 4 is an optimum implementation 
wherein the method of a judgment on the exact divisi- 
bility by 8 is adopted. It should be noted, however, that 
the scope of the present invention is not limited to this 
implementation. For example, it is also possible to use 
an integer that is derived from a relation of 'the curve 
order = the cofactor x a prime number'. 
[0031] The method described using Fig. 4 as an ap- 
plication to the first embodiment also can be applied to 



the second embodiment. 

[0032] Next, description will be made of a method for 
generating a normal form elliptic curve according to a 
third embodiment. 

5 [0033] Fig. 10 is a diagram showing a method for gen- 
erating a normal form elliptic curve whose curve order 
is 4 x a prime number, that is, whose cofactor is 4, and 
which can be transformed to a Montgomery type elliptic 
curve in a curve parameter generation server in an el- 

10 liptic curve cryptosystem according to the third embod- 
iment. Fig. 11 is a flowchart showing a method for gen- 
erating the curve parameters of a normal form elliptic 
curve whose cofactor is 4 and which can be transformed 
to a Montgomery type elliptic curve in a parameter gen- 

15 erator of elliptic curve 1001 according to the third em- 
bodiment. 

[0034] A parameter generator of elliptic curve 1001 
receives definition field information 1003 and outputs 
curve parameters 1008 using the following procedure. 

20 Here, as the definition field information 1 003, either def- 
inition field information 2701, which includes the bit 
length of the definition field, or definition field information 
2704, which includes the characteristic prime of the def- 
inition field, is given as shown in Fig. 27. At step 1101 , 

25 a generation unit of normal form elliptic curve candi- 
dates 1004 randomly generates a normal form elliptic 
curve based on the definition field information 1003. At 
step 1102, a judgement unit of suitability 1002 deter- 
mines whether a normal form elliptic curve generated 

30 by the generation unit of normal form elliptic curve can- 
didates 1 004 and its twist normal form elliptic curve can 
be transformed to Montgomery type elliptic curves and 
the curve order of each curve can be divided by 8. If they 
are not transformable, or the curve orders of both the 

35 original and the twist normal form elliptic curves are di- 
visible by 8 even if they are transformable, the genera- 
tion unit of normal form elliptic curve candidates 1004 
generates a normal form elliptic curve again. Then, the 
same procedure is repeated until it is determined that 

40 both the original and the twist normal form elliptic curves 
can be transformed to Montgomery type elliptic curves 
and the curve order of one of the original and the twist 
normal form elliptic curves is not divisible by 8. When 
both the original and the twist normal form elliptic curves 

45 can be transformed to Montgomery type elliptic curves 
and the curve order of one of the original and the twist 
normal form elliptic curves is not divisible by 8, a collec- 
tion unit of curve order information 1007 collects infor- 
mation on the curve order of a normal form elliptic curve 

50 which can be transformed to a Montgomery type elliptic 
curve whose curve order or the curve order of whose 
twist is not divisible by 8, at step 1 1 03. At step 1 1 04, a 
cofactor judgement unit 1006 judges whether the cofac- 
tor is 4 based on the curve order information obtained 

55 from the collection unit of curve order information 1007. 
If the cofactor exceeds 4, the generation unit of normal 
form elliptic curve candidates 1 004 generates a normal 
form elliptic curve again. Then, by following the above 
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procedure again, the cofactor judgement unit 1006 de- 
termines whether the cofactor is 4 using information on 
the curve order of the normal form elliptic curve which 
can be transformed to a Montgomery type elliptic curve 
and whose curve order cannot be divided by 8. The 
same procedure is repeated until it is determined that 
the cofactor is 4. If the cofactor is 4, the cofactor judge- 
ment unit 1006 outputs the normal form elliptic curve 
which has been generated using the above procedure 
and can be transformed to a Montgomery type elliptic 
curve and whose cofactor is 4, as curve parameters, at 
step 1105. 

[0035] The judgement unit of suitability 1002 judges 
whether a given normal form elliptic curve and its twist 
normal form elliptic curve can be transformed to Mont- 
gomery type elliptic curves and the curve order of each 
curve can be divided by 8. Figs. 12 and 13 are flowcharts 
showing a method for determining suitability of a normal 
form elliptic curve according to the third embodiment. 
[0036] At step 1 201 , the process flow is separated into 
two branches depending on whether the prime number 
of a definition field is 1 modulo 4 or 3 modulo 4. If the 
characteristic prime of the definition field is 1 modulo 4, 
the process flow proceeds to step 1202. If the charac- 
teristic prime of the definition field is 3 modulo 4, on the 
other hand, the process flow proceeds to step 1301 . At 
step 1202, the process flow is separated into two 
branches depending on the number of roots of the equa- 
tion f(x) = 0 in F p . If the number of roots is 1 , the process 
flow proceeds to step 1 204, while if the number of roots 
is 3, the process flow proceeds to step 1 203. If the equa- 
tion f(x) = 0 has no root in F p , both the original and the 
twist normal form elliptic curves cannot be transformed 
to Montgomery type elliptic curves and therefore are not 
suitable, at step 1209. Step 1203 selects a for which f 
(a) = 0 and f'(a) is a quadratic residue in F p . For this a, 
a normal form elliptic curve can be transformed to a 
Montgomery type elliptic curve. At step 1 205, it is deter- 
mined whether (A -i- 2)/B is a quadratic residue in F p . If 
it is a quadratic residue, the original normal form elliptic 
curve can be divided by 8 but the twist normal form el- 
liptic curve cannot be divided by 8. Therefore, the twist 
is selected at step 1207. If it is a quadratic non-residue, 
on the other hand, the twist normal form elliptic curve 
can be divided by 8 but the original normal form elliptic 
curve cannot be divided by 8. Therefore, the original is 
selected at step 1208. At step 1204, it is determined 
whether f'(a) is a quadratic residue in F p . If it is a quad- 
ratic non-residue, both the original and the twist normal 
form elliptic curves cannot be transformed to Mont- 
gomery type elliptic curves, and therefore are not suita- 
ble, at step 1 209. If it is a quadratic residue, the process 
flow proceeds to step 1 206. In this case, the normal form 
elliptic curve can be transformed to a Montgomery type 
elliptic curve. At step 1206, it is determined whether f 
(a) 1/2 is a quadratic residue in F p . If it is a quadratic non- 
residue, the twist normal form elliptic curve can be di- 
vided by 8, while the original normal form elliptic curve 



cannot be divided by 8. Therefore, the original is select- 
ed at step 1208. If it is a quadratic residue, the original 
normal form elliptic curve can be divided by 8, while the 
twist normal form elliptic curve cannot be divided by 8. 

5 Therefore, the twist is selected at step 1207. As de- 
scribed above, in the case where the characteristic 
prime of the definition field is 1 modulo 4, it is possible 
to select a normal form elliptic curve which can be trans- 
formed to a Montgomery type elliptic curve and whose 

10 curve order is not divisible by 8 when an original and its 
twist normal form elliptic curves are given. Alternatively, 
it can be determined that given curves should be dis- 
carded when they are not suitable. When the character- 
istic prime of the definition field is 3 modulo 4, the proc- 

15 ess flow is separated into two branches depending on 
the number of roots of the equation f(x) = 0 in F p at step 
1301 . If the number of roots is 1 , the process flow pro- 
ceeds to step 1302. If the number of roots is 3, or the 
equation f(x) = 0 has no root in F p , both a given original 

20 and its twist normal form elliptic curves are not trans- 
formable, or the curve orders of both curves are divisible 
by 8 even if they are transformable. Therefore, they are 
not suitable at step 1 209. At step 1 302, it is determined 
whether f'(oc) is a quadratic residue in F p . If it is a quad- 

25 ratic non-residue, both the original and the twist normal 
form elliptic curves are not transformable, and therefore 
are not suitable, at step 1 209. If it is a quadratic residue, 
the process flow proceeds to step 1303. In this case, 
both the given original and twist normal form elliptic 

30 curves can be transformed to Montgomery type elliptic 
curves. At step 1303, it is determined whether A + 2 is 
a quadratic residue in F p . If it is a quadratic non-residue, 
both the original and the twist normal form elliptic curves 
are not divisible by 8, and therefore both the original and 

35 the twist are selected at step 1305. If it is a quadratic 
residue, both the original and the twist normal form el- 
liptic curves are divisible by 8, and therefore they are 
not suitable at step 1209. As described above, in the 
case where the prime number of a definition field is 3 

40 modulo 4, it is possible to select a normal form elliptic 
curve which can be transformed to a Montgomery type 
elliptic curve and whose curve order is not divisible by 
8 when an original and its twist normal form elliptic 
curves are given. Alternatively, it can be determined that 

45 given curves should be discarded when they are not 
suitable. 

[0037] Based on the following reason, it is possible to 
select a normal form elliptic curve which can be trans- 
formed to a Montgomery type elliptic curve and whose 

50 curve order is not divisible by 8 when an original and its 
twist normal form elliptic curves are given, or the given 
curves can be discarded when they are not suitable, by 
using the above procedures. In the flowcharts shown in 
Figs. 12 and 13, it is determined whether a normal form 

55 elliptic curve can be transformed to a Montgomery type 
elliptic curve at the first half of the step flow, while it is 
determined whether the curve order of a normal form 
elliptic curve transformable to a Montgomery type elliptic 
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curve is divisible by 8 based on Fig. 9, atthe second half 
of the step flow. It should be noted that when comparing 
the Montgomery type elliptic curve for the original nor- 
mal form elliptic curve and the Montgomery type elliptic 
curve for the twist normal form elliptic curve, if the coef- 
ficient of Y 2 of the former Montgomery type elliptic curve 
is a quadratic residue, the coefficient of Y 2 of the latter 
is a quadratic non-residue, and vice versa. At step 1 203, 
a for which f'(a) is a quadratic residue can always be 
selected, based on the following reason. When the dis- 
criminant of f(x) is denoted by A, A is a quadratic residue 
if the equation f(x) = 0 has 3 roots. On the other hand, 
when the roots of the equation f(x) = 0 are denoted by 
a, p , andy, A= - 1 6f ' (cx)f ' (p)f ' (y) . Accordingly, at least one 
of f'(a), f'(p), and V(y) is a quadratic residue. 
[0038] Next, description will be made of an elliptic 
curve cry ptosystem which incorporates an apparatus for 
generating a safe normal form elliptic curve transform- 
able to a Montgomery type elliptic curve according to a 
fourth embodiment, with reference to Fig. 14. 
[0039] A curve parameter generation server 1401 in- 
corporates the parameter generator of elliptic curve 1 01 
of the first embodiment for generating a safe normal 
form elliptic curve transformable to a Montgomery type 
elliptic curve. A computer A1 402 generates a pair of pri- 
vate and public keys to carry out cryptocommunications 
by elliptic curve cryptography using a Montgomery type 
elliptic curve. A public key server 1403 registers the pub- 
lic key of each computer, and receives a public key in- 
quiry and transmits the public key of a specified compu- 
ter. A computer B1404 carries out cryptocommunica- 
tions with the computer A1 402 by elliptic curve cryptog- 
raphy using a Montgomery type elliptic curve. 
[0040] According to the fourth embodiment, an elliptic 
curve cryptosystem carries out cryptocommunications 
by utilizing the parameter generator of elliptic curve us- 
ing the following procedure as shown by the flowchart 
in Fig. 15. The computer A1 402 asks the curve param- 
eter generation server 1401 to generate a safe normal 
form elliptic curve transformable to a Montgomery type 
elliptic curve at step 1501 . Based on the above request 
for generation of the curve, the curve parameter gener- 
ation server 1401 generates the curve parameters 1 08 
by supplying the definition field information 103 to the 
parameter generator of elliptic curve 101 , at step 1502. 
Here, as the definition field information 103, either def- 
inition field information 2701, which includes the bit 
length of the definition field, or definition field information 
2704, which includes the characteristic prime of the def- 
inition field, is given as shown in Fig. 27. As new curve 
parameters, the curve parameter generation server 
1401 supplies to the computer A1 402 the defining equa- 
tion and the curve order of a normal form elliptic curve 
transformable to a Montgomery type elliptic curve, and 
thedefining equation of a Montgomery type elliptic curve 
obtained by transforming the normal form elliptic curve 
as well as the x coordinate of a 2-order point on the nor- 
mal form elliptic curve corresponding to the point (0,0) 



on the Montgomery type elliptic curve, at step 1 503. The 
computer A1402 generates a pair of private and public 
keys based on the given new curve parameters at step 

1504. The computer A1402 registers the above gener- 
5 ated public key in the public key server 1403 at step 

1505. The computer B1404 inquires of the public key 
server 1 403 about the public key of the computer A1 402 
at step 1506. Based on the public key inquiry made by 
the computer B1404, the public key server 1403 sup- 

10 plies the public key of the computer A1 402 to the com- 
puter B1404 at step 1507. The computer B1404 per- 
forms encryption operation with the public key of the 
computer A1 402 by utilizing a Montgomery type elliptic 
curve to carry out cryptocommunications with the com- 

15 puter A1 402 at step 1 508. 

[0041] Fig. 16 is a diagram showing an elliptic curve 
cryptosystem which incorporates an apparatus for gen- 
erating a safe normal form elliptic curve transformable 
to a Montgomery type elliptic curve according to a fifth 

20 embodiment. 

[0042] A curve parameter generation server 1 601 in- 
corporates the parameter generator of elliptic curve 1 01 
of the first embodiment for generating a safe normal 
form elliptic curve transformable to a Montgomery type 

25 elliptic curve. A computer A1 602 generates a pair of pri- 
vate and public keys to carry out cryptocommunications 
by elliptic curve cryptography using a Montgomery type 
ellipticcurve. A public key server 1 603 registers the pub- 
lic key of each computer, and receives a public key in- 

30 quiry and transmits the public key of a specified compu- 
ter. A computer B1604 carries out cryptocommunica- 
tions with the computer A1 602 by elliptic curve cryptog- 
raphy using a Montgomery type elliptic curve. A curve 
parameter transformer 1605 receives a normal form el- 

35 Nptic curve transformable to a Montgomery type elliptic 
curve, and outputs the Montgomery type elliptic curve 
corresponding to the normal form elliptic curve as well 
as the x coordinate of a 2-order point on the normal form 
elliptic curve corresponding to the point (0,0) on the 

40 Montgomery type elliptic curve. 

[0043] According to the fifth embodiment, an elliptic 
curve cryptosystem carries out cryptocommunications 
by utilizing the parameter generator of elliptic curve us- 
ing the following procedure as shown by the flowchart 

45 in Fig. 1 7. The computer A1 602 asks the curve param- 
eter generation server 1601 to generate a safe normal 
form elliptic curve transformable to a Montgomery type 
elliptic curve at step 1 701 . Based on the above request 
for generation of the curve, the curve parameter gener- 
ic ation server 1 601 generates the curve parameters 1 08 
by supplying the definition field information 103 to the 
parameter generator of elliptic curve 1 01 , at step 1 702. 
Here, as the definition field information 103, either def- 
inition field information 2701 , which includes the bit 

55 length of the definition field, or definition field information 
2704, which includes the characteristic prime of the def- 
inition field, is given as shown in Fig. 27. As new curve 
parameters, the curve parameter generation server 
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1 601 supplies the defining equation and the curve order 
of a normal form elliptic curve transformable to a Mont- 
gomery type elliptic curve to the computer A1 602 at step 
1 703. The computer A1 602 supplies tothe curve param- 
eter transformer 1605 the defining equation of the nor- 
mal form elliptic curve transformable to a Montgomery 
type elliptic curve, and receives from the curve param- 
eter transformer 1605 the defining equation of a Mont- 
gomery type elliptic curve obtained by transforming the 
normal form elliptic curve transformable to a Mont- 
gomery type elliptic curve, andthex coordinate of a2-or- 
der point on the normal form elliptic curve corresponding 
to the point (0,0) on the Montgomery type elliptic curve 
at step 1 704. The computer A1 602 generates a pair of 
private and public keys based on the above curve pa- 
rameters at step 1705. The computer A1602 registers 
the above generated public key in the public key server 
1 603 at step 1 706. The computer B1 604 inquires of the 
public key server 1 603 about the public key of the com- 
puter A1602 at step 1707. Based on the public key in- 
quiry made by the computer B1 604, the public key serv- 
er 1 603 supplies the public key of the computer A1 602 
to the computer B1604 at step 1708. The computer 
B1 604 performs encryption operation with the public key 
of the computer A1 602 by utilizing a Montgomery type 
elliptic curve to carry out cryptocommunications with the 
computer A1 602 at step 1 709. 

[0044] Fig. 18 is a diagram showing an elliptic curve 
cryptosystem which incorporates an apparatus for gen- 
erating a safe normal form elliptic curve transformable 
to a Montgomery type elliptic curve according to a sixth 
embodiment. 

[0045] A curve parameter generation server 1 801 in- 
corporates the parameter generator of elliptic curve 1 01 
of the first embodiment for generating a safe normal 
form elliptic curve transformable to a Montgomery type 
elliptic curve. A computer A1 802 generates a pair of pri- 
vate and public keys to carry out cryptocommunications 
by elliptic curve cryptography using a Montgomery type 
elliptic curve. A public key server 1 803 registers the pub- 
lic key of each computer, and receives a public key in- 
quiry and transmits the public key of a specified compu- 
ter. A computer B1804 carries out cryptocommunica- 
tions with the computer A1 802 by elliptic curve cryptog- 
raphy using a Montgomery type elliptic curve. A curve 
parameter transformer 1805 receives a normal form el- 
liptic curve transformable to a Montgomery type elliptic 
curve, and outputs the Montgomery type elliptic curve 
corresponding to the normal form elliptic curve as well 
as the x coordinate of a 2-order point on the normal form 
elliptic curve corresponding to the point (0,0) on the 
Montgomery type elliptic curve. 

[0046] According to the sixth embodiment, an elliptic 
curve cryptosystem carries out cryptocommunications 
by utilizing the parameter generator of elliptic curve us- 
ing the following procedure as shown by the flowchart 
in Fig. 19. The computer A1 802 asks the curve param- 
eter generation server 1801 to generate a safe normal 



form elliptic curve transformable to a Montgomery type 
elliptic curve at step 1 901 . Based on the above request 
for generation of the curve, the curve parameter gener- 
ation server 1 801 generates the curve parameters 1 08 

5 by supplying the definition field information 103 to the 
parameter generator of elliptic curve 1 01 , at step 1 902. 
Here, as the definition field information 103, either def- 
inition field information 2701, which includes the bit 
length of the definition field, or definition field information 

10 2704, which includes the characteristic prime of the def- 
inition field, is given as shown in Fig. 27. As new curve 
parameters, the curve parameter generation server 
1 801 supplies the defining equation and the curve order 
of a normal form elliptic curve transformable to a Mont- 
hs gomerytype elliptic curve to the computer A1 802 at step 
1903. The computer A1 802 generates a pair of private 
and public keys based on the above curve parameters 
at step 1 904. The computer A1802 registers the above 
generated public key in the public key server 1803 at 

20 step 1905. The public key server 1803 supplies to the 
curve parameter transformer 1805 the defining equation 
of the normal form elliptic curve for the public key of the 
computer A1802, which is transformable to a Mont- 
gomery type elliptic curve, receives from the curve pa- 

25 rameter transformer 1805 the defining equation of a 
Montgomery type elliptic curve obtained by transforming 
the above normal form elliptic curve transformable to a 
Montgomery type elliptic curve and the x coordinate of 
a 2-order point on the normal form elliptic curve corre- 

30 sponding to the point (0,0) on the Montgomery type el- 
liptic curve, and adds them to information on the public 
key of the computer A1 802 at step 1 906. The computer 
B1 804 inquires of the public key server 1 803 about the 
public key of the computer A1 802 at step 1 907. Based 

35 on the public key inquiry made by the computer B1 804, 
the public key server 1 803 supplies the public key of the 
computer A1802 to the computer B1804 at step 1908. 
The computer B1804 performs encryption operation 
with the public key of the computer A1 802 by utilizing a 

40 Montgomery type elliptic curve to carry out cryptocom- 
munications with the computer A1802 at step 1909. It 
should be noted that the order of steps 1 906 and 1 907 
may be changed such that the public key server 1803 
asks the cu rve parameter transformer 1 805 to transform 

45 the normal form elliptic curve to a Montgomery type el- 
liptic curve after the computer B1 804 inquires of the pub- 
lic key server 1 803 about the public key of the computer 
A1802. 

[0047] Fig. 20 is a diagram showing an elliptic curve 
50 cryptosystem which incorporates an apparatus for gen- 
erating a safe normal form elliptic curve transformable 
to a Montgomery type elliptic curve according to a sev- 
enth embodiment. 

[0048] A curve parameter generation server 2001 in- 
55 corporates the parameter generator of elliptic curve 101 
of the first embodiment for generating a safe normal 
form elliptic curve transformable to a Montgomery type 
elliptic curve. A computer A2002 generates a pair of pri- 
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vate and public keys to carry out cryptocommunications 
by elliptic curve cryptography using a Montgomery type 
elliptic curve. A public key server 2003 registers the pub- 
lic key of each computer, and receives a public key in- 
quiry and transmits the public key of a specified compu- 
ter. A computer B2004 carries out cryptocommunica- 
tions with the computer A2002 by elliptic curve cryptog- 
raphy using a Montgomery type elliptic curve. A curve 
parameter transformer 2005 receives a normal form el- 
liptic curve transformable to a Montgomery type elliptic 
curve, and outputs the Montgomery type elliptic curve 
corresponding to the normal form elliptic curve as well 
as the x coordinate of a 2-order point on the normal form 
elliptic curve corresponding to the point (0,0) on the 
Montgomery type elliptic curve. 

[0049] According to the seventh embodiment, the el- 
liptic curve cryptosystem carries out cryptocommunica- 
tions by utilizing the parameter generator of elliptic curve 
using the following procedure as shown by the flowchart 
in Fig. 21 . The computer A2002 asks the curve param- 
eter generation server 2001 to generate a safe normal 
form elliptic curve transformable to a Montgomery type 
elliptic curve at step 2101 . Based on the above request 
for generation of the curve, the curve parameter gener- 
ation server 2001 generates the curve parameters 1 08 
by supplying the definition field information 103 to the 
parameter generator of elliptic curve 101, at step 21 02. 
Here, as the definition field information 103, either def- 
inition field information 2701, which includes the bit 
length of the definition field, or definition field information 
2704, which includes the characteristic prime of the def- 
inition field, is given as shown in Fig. 27. As new curve 
parameters, the curve parameter generation server 
2001 supplies the defining equation and the curve order 
of a normal form elliptic curve transformable to a Mont- 
gomery type elliptic curve to the computer A2002 at step 
2103. The computer A2002 generates a pair of private 
and public keys based on the above curve parameters 
at step 21 04. The computer A2002 registers the above 
generated public key in the public key server 2003 at 
step 2105. The computer B2004 inquires of the public 
key server 2003 about the public key of the computer 
A2002 at step 2106. Based on the public key inquiry 
made by the computer B2004, the public key server 
2003 supplies the public key of the computer A2002 to 
the computer B2004 at step 21 07. The computer B2004 
supplies to the curve parameter transformer 2005 the 
defining equation of the normal form elliptic curve forthe 
public key of the computer A2002, which is transforma- 
ble to a Montgomery type elliptic curve, receives from 
the curve parameter transformer 2005 the defining 
equation of a Montgomery type elliptic curve obtained 
by transforming the above normal form elliptic curve 
transformable to a Montgomery type elliptic curve and 
the x coordinate of a 2-order point on the normal form 
elliptic curve corresponding to the point (0,0) on the 
Montgomery type elliptic curve, and adds them to infor- 
mation on the public key of the computer A2002 at step 



21 08. The computer B2004 performs encryption opera- 
tion with the public key of the computer A2002 by utiliz- 
ing a Montgomery type elliptic curve to carry out cryp- 
tocommunications with the computer A2002 at step 
5 2109. 

[0050] Fig. 22 is a diagram showing a transformability 
judgement apparatus for determining transformability of 
a normal form elliptic curve to a Montgomery type elliptic 
curve in an apparatus for generating a safe normal form 
10 ellipticcurvetransformableto a Montgomerytype elliptic 
curve. 

[0051] A transformability judgement apparatus 2201 
determines whether a given normal form elliptic curve 
can be transformed to a Montgomery type elliptic curve, 

15 using a judgement unit of root existancy 2202 and a 
judgement unit of quadratic residue 2203. The judge- 
ment unit of root existancy 2202 determines whetherthe 
equation f(x) = 0 has a root in F p . The transformability 
judgement apparatus 2201 outputs the indication "not 

20 transformable" when f'(a) has no root other than ones 
which have been determined to be quadratic non-resi- 
dues by the judgement unit of quadratic residue 2203. 
If there exists a root, the root is supplied to the judge- 
ment unit of quadratic residue 2203. The judgement unit 

25 of quadratic residue 2203 determines whether f'(oe) is a 
quadratic residue in F p for a for which f(a) = 0. If it is a 
quadratic residue, the indication "transformable 1 " is out- 
put. If it is a quadratic non-residue, the judgement unit 
of quadratic residue 2203 inquires of the judgement unit 

30 of root existancy 2202 whether there is any other root. 
[0052] The transformability judgement apparatus 
2201 determines whether a normal form elliptic curve 
can be transformed to a Montgomery type elliptic curve 
using thefollowing procedure as shown by the flowchart 

35 in Fig. 3. At step 301 , it is determined whether there is 
any element a of F p for which f(a) = 0 for the normal 
form elliptic curve y 2 = f(x) = x 3 -i- ax + b. If there is no 
such element a, the transformability judgement appara- 
tus 2201 outputs the indication "not transformable" at 

40 step 304 and the process ends. If there is such an ele- 
ment a, the judgement unit of quadratic residue 2203 
determines whether there is an element a for which f 
(a) is a quadratic residue in F p where f(a) = 0 at step 
302. If there is such an element oc, the transformability 

45 judgement apparatus 2201 outputs the indication "trans- 
formable" at step 303 and the process ends. If there is 
no such element a, the transformability judgement ap- 
paratus 2201 outputs the indication "not transformable" 
at step 304 and the process ends, 

50 [0053] Fig. 23 is a diagram showing a curve parame- 
ter transformer in elliptic curve cryptosystems, shown in 
Figs. 16, 18, and 20, which each incorporates an appa- 
ratus for generating a safe normal form elliptic curve 
transformable to a Montgomery type elliptic curve. 

55 [0054] The curve parameter transformer 2301 re- 
ceives a normal form elliptic curve transformable to a 
Montgomery type elliptic curve, and calculates and out- 
puts the corresponding Montgomery type elliptic curve 
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and the x coordinate of a 2-order point on the normal 
form elliptic curve corresponding to the point (0,0) on 
the Montgomery type elliptic curve as a point transfor- 
mation parameter, using a root calculation unit 2303, a 
judgement unit of quadratic residue 2302 ; and a com- 
position unit of curve parameter 2304. The root calcula- 
tion unit 2303 finds a root a of the equation f(x) = 0 in 
F p . The judgement unit of quadratic residue 2302 deter- 
mines whether f'(a) is a quadratic residue in F p for a 
obtained by the root calculation unit 2303. The compo- 
sition unit of curve parameter 2304 composes a Mont- 
gomery type elliptic curve using a obtained by the root 
calculation unit 2303. 

[0055] The curve parameter transformer 2301 calcu- 
lates a Montgomery type elliptic curve transformed from 
a normal form elliptic curve transformable to a Mont- 
gomery type elliptic curve, andthex coordinate of a 2-or- 
der point on the normal form elliptic curve corresponding 
to the point (0,0) on the Montgomery type elliptic curve, 
using the following procedure as shown by the flowchart 
in Fig. 24. Step 2401 finds a root a of the equation f(x) 
= 0 in F p . At step 2403, it is determined whether f'(tx) is 
a quadratic residue in F p . If it is a quadratic residue, the 
process flow proceeds to step 2404. If it is a quadratic 
non-residue, step 2402 finds a root other than a for 
which it is determined that f'(a) is a quadratic non-resi- 
due at step 2403. The root is newly denoted as a. Then, 
fortherootcc, it is determinedwhetherf'(a) is a quadratic 
residue in F p at step 2403 again. Since the equation f 
(x) = 0' has 3 roots at most, and the normal form elliptic 
curve is already known to be transformable to a Mont- 
gomery type elliptic curve, f'(oe) is determined to be a 
quadratic residue by the time the process has been re- 
peated forthe third time. Then, the process proceeds to 
step 2404. Step 2404 calculates s from the equation s 
= f'(a)" 1/2 , and step 2405 calculates B and A from the 
equations B = s and A = 3 a s. A, B, and a are output at 
step 2406. 

[0056] As shown in Fig. 27, by use of a curve param- 
eter transformer as described above, a curve parameter 
2702 and a public key 2703 each obtained only from a 
normal form elliptic curve can be transformed to a curve 
parameter 2705 and a public key 2706 respectively 
each added with the corresponding Montgomery type 
elliptic curve data. 

[0057] Fig. 25 is a diagram showing a transform ability 
judgement apparatus for determining transformability of 
a normal form elliptic curve to a Montgomery type elliptic 
curve in an apparatus for generating a safe normal form 
elliptic curve defined over an extension field F q of F p and 
transformable to a Montgomery type elliptic curve. 
[0058] A transformability judgement apparatus 2501 
determines whether a given normal form elliptic curve 
defined over F q can be transformed to a Montgomery 
type elliptic curve, using a judgement unit of root ex- 
istancy 2502 and a judgement unit of square root 2503. 
The judgement unit of root existancy 2502 determines 
whether the equation f(x) = 0 has a root in F q . The trans- 



formability judgement apparatus 2501 outputs the indi- 
cation "not transformable" when f'(a) has no root other 
than ones which have been determined to be quadratic 
non-residues by the judgement unit of square root2503. 

5 If there exists a root, the root is supplied to the judge- 
ment unit of square root 2503. The judgement unit of 
square root 2503 determines whether f (a) has a square 
root in F q for a for which f(a) = 0. If it has a square root, 
the indication "transformable" is output. If it has no 

10 square root, the judgement unit of square root 2503 in- 
quires of the judgement unit of root existancy 2502 
whether the equation f(x) = 0 has any other root. 
[0059] The transformability judgement apparatus 
2501 determines whether a normal form elliptic curve 

15 defined over F q can be transformed to a Montgomery 
type elliptic curve using the following procedure as 
shown by the flowchart in Fig. 26. At step 2601 , it is de- 
termined whether there is any element a of F q for which 
f(a) = 0 for the normal form elliptic curve y 2 = f(x) = x 3 + 

20 ax + b. If there is no such element a, the transformability 
judgement apparatus 2501 outputs the indication "not 
transformable" at step 2604 and the process ends. If 
there is such an elementa, the judgement unit of square 
root 2503 determines whether there is an element a for 

25 which f'(a) has a square root in F q where f(oc) = 0 at step 
2602. If there is such an elementa , the transformability 
judgement apparatus 2501 outputs the indication "trans- 
formable" at step 2603 and the process ends. If there is 
no such element a, the transformability judgement ap- 

30 paratus 2501 outputs the indication "not transformable" 
at step 2604 and the process ends. 
[0060] Fig. 28 is a diagram showing a curve permu- 
tation management apparatus to be incorporated in a 
public key server, a computer A, or computer B in an 

35 elliptic curve cryptosystem which incorporates an appa- 
ratus for generating a safe normal form elliptic curve 
transformable to a Montgomery type elliptic curve. 
[0061] A curve permutation management apparatus 
2801 comprises a selection unit of judged curve 2802, 

40 a judgement unit of curve permutation 2803, and a key 
table 2804. The key table 2804 is a data table listing 
curve parameters and public keys. 
[0062] The selection unit of judged curve 2802 is ac- 
tivated at a predetermined time or every predetermined 

45 period of time to select curve parameters from the key 
table 2804. The selected curve parameters are sent to 
the judgement unit of curve permutation 2803. The 
judgement unit of curve permutation 2803 checks 
whether the generation time of the received curve pa- 

50 rametersorthe number of users of the curve parameters 
exceeds a predetermined value which must not be ex- 
ceeded in order to maintain safety, and when it exceeds 
the value, the judgement unit of curve permutation 2803 
outputs an indication indicating that it is necessary to 

55 replace the given curve parameters with new ones. 
[0063] Fig. 29 is a sequence chart showing a flow of 
processes performed in the case where the curve per- 
mutation management apparatus shown in Fig. 28 is in- 



14 



27 



EP 1 215 642 A1 



28 



corporated in a public key server. 
[0064] A curve permutation management apparatus 
2903 sends a curve parameter permutation request to 
a public key server 2902. Based on the curve parameter 
permutation request made by the curve permutation 5 
management apparatus 2903, the public key server 
2902 sends a curve parameter generation request to a 
curve parameter generation server 2901 . Based on the 
curve parameter generation request made by the public 
key server 2902, the curve parameter generation server 10 

2901 generates new curve parameters, and sends them 
to the public key server 2902. The public key server 

2902 replaces the current curve parameters with new 
curve parameters received from the curve parameter 
generation server 2901. The public key server 2902 15 
sends the new curve parameters and a new-public-key 
registration request to a computer A2904 which is cur- 
rently using the previous curve parameters. Based on 

the new-public-key registration request made by the 
public key server 2902, the computer A2904 generates 20 
a pair of private and public keys for the received new 
curve parameters. The computer A2904 then registers 
the generated public key in the public key server 2902. 
[0065] As described above, the present invention can 
provide a reduction in the number of generations of a 25 
safe normal form elliptic curve necessary to generate a 
safe normal form elliptic curve transformable to a Mont- 
gomery type elliptic curve, resulting in reduced cost for 
generating an elliptic curve having the above property. 
Thus, it is possible to regularly replace an elliptic curve 30 
used for cryptography with a new one having the above 
property in order to prevent an attack against a specific 
elliptic curve. Furthermore, since the elliptic curve can 
be transformed to a Montgomery type elliptic curve, use 
of the Montgomery type elliptic curve makes it possible 35 
to reduce the time taken to encrypt/decrypt data, com- 
pared with use of a normal form elliptic curve. 

Industrial Applicability 

40 

[0066] As described above, the present invention is 
useful for maintaining security for computer networks, 
and especially suitable for use in the environment in 
which security management is performed by use of el- 
liptic curve cryptography. 45 



Claims 

1. A method of generating an elliptic curve, comprising 50 
the steps of: 

generating a first elliptic curve; 
generating a second elliptic curve related to 
said first elliptic curve; 55 
determining whether said first elliptic curve can 
be transformed to a third elliptic curve; and 
when said first elliptic curve can betransformed 



to said third elliptic curve, determining safety of 
said first elliptic curve and said second elliptic 
curve. 

2. The method of generating an elliptic curve as 
claimed in claim 1, wherein said second elliptic 
curve is a twist of said first elliptic curve. 

3. The method of generating an elliptic curve as 
claimed in claim 1, wherein said first elliptic curve 
is y 2 = x 3 + ax +- b; said second elliptic curve is y 2 = 
x 3 + ar 2 x + br 3 ; and said third elliptic curve is BY 2 = 
X 3 + AX 2 + X. 

4. The method of generating an elliptic curve as 
claimed in claim 3, wherein said step of determining 
whether said first elliptic curve can be transformed 
to said third elliptic curve includes steps of: 

determining whether there is a for which f(a) = 
0 for said first elliptic curve y 2 = f(x); and 
determining whether f(a) has a square root for 
a for which f(a) = 0. 

5. The method of generating an elliptic curve as 
claimed in claim 1 , wherein said step of determining 
the safety of said first elliptic curve includes steps of: 

extracting information on a curve order of said 
first elliptic curve; and 

determining a cofactor based on the informa- 
tion on said curve order. 

6. The method of generating an elliptic curve as 
claimed in claim 1, wherein said method uses the 
first elliptic curve defined over a field of a predeter- 
mined prime order. 

7. A method of generating an elliptic curve, comprising 
the steps of: 

generating a first elliptic curve; 

determining whether said first elliptic curve can 

be transformed to a second elliptic curve; 

when said first elliptic curve can be transformed 

to said second elliptic curve, determining safety 

of said first elliptic curve; and 

when it is determined that said first elliptic curve 

is not safe, determining safety of a third elliptic 

curve which accompanies said first elliptic 

curve. 

8. A method of generating an elliptic curve in elliptic 
curve cryptography, comprising the steps of: 

randomly generating a normal form elliptic 
curve y 2 = x 3 + ax + b; 

determining whether said generated normal 
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30 



form elliptic curve y 2 = x 3 4- ax + b can be trans- 
formed to a Montgomery type elliptic curve BY 2 
- X 3 + AX 2 + X; 

determining divisibility of a curve order of said 
elliptic curve by 8; 

collecting information on the curve order of said 
elliptic curve; and 

determining a value of a cofactor based on the 
information on said curve order; 

wherein a normal form elliptic curve which can be 
transformed to a Montgomery type elliptic curve and 
whose cofactor is 4 is generated. 

9. An apparatus for generating an elliptic curve, com- 
prising: 

elliptic curve candidate generating means for 
generating a first elliptic curve y 2 = x 3 + ax + b; 
transformability judgement means for deter- 
mining whether said first elliptic curve can be 
transformed to a second elliptic curve BY 2 = X 3 
+ AX 2 + X; and 

safety judgement means for determining safety 
of the first elliptic curve transformable to said 
second elliptic curve. 

10. The apparatus for generating an elliptic curve as 
claimed in claim 9, wherein said transformability 
judgement means includes: 

root existence judgement means for determin- 
ing whetherthere is a for which f (a) = Oforsaid 
first elliptic curve; and 

square root judgement means for determining 
whether f'(a) has a square root for a for which 
f(a) = 0. 

11. The apparatus for generating an elliptic curve as 
claimed in claim 9, wherein said transformability 
judgement means includes: 

root existence judgement means for determin- 
ing whetherthere is a for which f (a) = Oforsaid 
first elliptic curve; and 

quadratic residue judgement means for deter- 
mining whether f'(a) is a quadratic residue for 
a for which f(a) = 0. 



13. A storage medium storing a program for performing 
a method for generating an elliptic curve, said meth- 
od comprising the steps of: 

5 generating a first elliptic curve y 2 = x 3 4- ax + b: 

generating a second elliptic curve y 2 = x 3 + ar 2 x 
+ br 3 which is related to said first elliptic curve; 
determining whether said first elliptic curve can 
be transformed to a third elliptic curve BY 2 = X 3 

10 + AX 2 + X; 

determining safety of the first elliptic curve 
which can be transformed to said third elliptic 
curve; and 

determining safety of said second elliptic curve. 

15 

14. A cryptosystem for carrying out cryptocommunica- 
tions by use of elliptic curve cryptography, compris- 
ing: 

20 a first computer for receiving cryptocommuni- 

cation; 

a second computer for transmitting cryptocom- 
munication; and 

an elliptic curve generating apparatus for re- 
25 ceiving a request for generation of an elliptic 

curve from said first computer, and generating 
a normal form elliptic curve transformable to a 
Montgomery type elliptic curve. 

30 15. The cryptosystem for carrying out cryptocommuni- 
cations by use of elliptic curve cryptography as 
claimed in claim 14, further comprising: 

a curve replacement management apparatus 
35 for managing whether it is necessary to replace 

an elliptic curve being used for cryptocommu- 
nications, 

wherein when it becomes necessary to replace said 
elliptic curve, the elliptic curve is replaced with an 
elliptic curve newly generated by said elliptic curve 
generating apparatus to carry out cryptocommuni- 
cations. 



20 



25 



40 



45 



12. An apparatus for generating an elliptic curve em- 50 
ployed in a cryptosystem in which a first computer 
and a second computer carry out cryptocommuni- 
cations with each other, wherein said apparatus re- 
ceives a request for generation of an elliptic curve 
from each said computer, and generates a normal 55 
form elliptic curve transformable to a Montgomery 
type elliptic curve. 
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